In order to gain access to applications or other resources via a computer or other user device, users are often required to authenticate themselves by entering authentication information. Such authentication information may comprise, for example, usernames and passwords. Users often have multiple usernames and passwords that may be used to access a plurality of websites. A user might have one username/password combination for a first class of websites that store sensitive information, such as financial websites, and a second username/password combination for a second class of websites, such as social networking sites. It is often challenging for a user to remember each username/password combination.
Single sign-on (SSO) solutions, such as OpenID, have been proposed. Single sign-on (SSO) solutions provide access control for multiple systems, allowing a user to log in once and obtain access to all systems without being prompted again to log in at each system. Similarly, OAuth is an open standard for authorization. OAuth allows users to share private resources, such as photos and contact lists, stored on a first site (often referred to as a “Service Provider”) with another site (often referred to as a “Consumer”) without having to provide their credentials. OAuth is used when a user wants a Consumer to retrieve data from a Service Provider securely, on his or her behalf.
Under OAuth, once a relationship is established between a Consumer and a Service Provider, the communication often happens directly between the two, without involving the user. Typically, the Consumer is provided with the username of the user and password tokens. Each token grants access to the Consumer for specified resources (e.g., access to a given album). In this manner, the user can grant the Consumer access to their information stored with the Service Provider, without sharing their access permissions or the full extent of their data.
When both the Service Provider and the Consumer support OAuth, the user mediates and approves the Consumer to access the information from the Service Provider. This often happens when the Consumer redirects the User to the Service Provider's authorization page. On the authorization page, the user can either accept or reject the requested permissions, which are often vague and very broad, leaving a potential for abuse by the Consumer.
Thus, improved security techniques are needed to reduce the susceptibility of the user to such abuse by the Consumer.